Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

krebsatwpost writes "The Department of Homeland Security has named Microsoft's 'chief trustworthy infrastructure strategist' Phil Reitinger to be its top cyber security official. Many in the security industry praised him as a smart pick, but said he will need to confront a culture of political infighting and leadership failures at DHS. From the story: 'Reitinger comes to the position with cyber experience in both the public and private sectors. Prior to joining Microsoft in 2003, he was executive director of the Defense Department's Computer Forensics Lab. Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft.'"

People who can use punctuation, capitalization, and spell properly. Actually, I think he was referring to those who voted the President into office.

Actually, no, most of the people voting for Obama didn't know some very basic things [howobamagotelected.com] about him or the opposition. And what they did know, was often wrong.

In the particularly striking example, the vast majority attributed the infamous I can see Russia from my house! [brisbanetimes.com.au] to Sarah Palin, when, in fact, the phrase was coined by Saturday Night Live, who were mocking her

[...] just because this guy worked for Microsoft doesn't mean he lacks intelligence.

No, but it does mean that he was part of the team fighting US-CERT for months over autorun, at least. He likely helped resist an effort by a division of the department he is to head to fix a security problem that was so bad, they felt it endangered national security.

A sad note on the autorun activity. The challenges US-CERT has are complex as they have little ability to enforce sane standards and are just as the name says a response team. Once you formulate a response, someone has to execute it, and the federal government is one of the largest enterprises out there, certainly if you include all the contractors as well. It will be interesting to see if there is a shift away from bah to career feds.

At the same time, everyone makes mistakes and Phil has always shown hi

I don't know. Even if he just did nothing to stop Microsoft's resistance it would be bad.

If guys from CERT called me and said, "Hey, could you make The Autorun and NoDriveTypeAutorun registry values actually do something? We worried about this 10 million strong botnet," I'd probably comply. The reality was even worse; Microsoft wrote instructions for users to mitigate the problem which they knew were not effective.

The last thing I would do would be to start a PR war, which they did only to save face about something that has been criticized for over a decade. It's amazing... some slight marketing concern overrode what they were told was a matter of national security.

some slight marketing concern overrode what they were told was a matter of national security.

Marketing over national security (as well as other real issues) is how Obama got elected [howobamagotelected.com] in the first place. Even if we continue to give him the benefit of the doubt regarding past nasty associations (racist pastor Wright, terrorists Bill and Bernardine Ayers, governor Blagojevich), and not (yet?) question his personal integrity, the man's lack of experience (or, more harshly, lack of substance) is showing already:

Why do you people think that the next new guy will be any different than the last one? I don't care WHO is elected. If they are Democrat or Republican, they will cater to their interests first and do the right thing last.

MSFT funded a lot of his campaign. This is paying them back by appointing one of their executives, or they use their buddies.This happens every change of power.

I just get a royal kick out of all the "WOO CHANGE!" people all sitting in their chairs sober now with their mouth open at the TV sets staring in disbelief.

The only advantage is that this time our president is actually educated and articulate.

Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft

Trust... worthy... computing at Microsoft... Isn't there a law that prohibits the words trustworthy and Microsoft in the same sentence?

The term might not be used as often, but the concept is alive and well

"the new chips will 'block unauthorized access to the frame buffer.'...

There is a short list of parties who will be unauthorized to access your frame buffer: You. There is a long list of parties who are authorized to access your frame buffer, and that list includes Microsoft, Apple, AMD, Intel, ATI, NVidia, Sony Pictures, Paramount, HBO, CBS, Macrovision, and all other content owners and enablers that want your machine to themselves whenever youâ(TM)re watching, listening to, reading, or shooting monsters with their products. "

Want to make sure that no unauthorized applications are secretly recording your activities? This denies access to the frame buffer from remote viewing.

Wrong. This is only possible if you control the keys to the TPM. If you cannot set the keys you cannot implement any method of making sure unauthorized applications (who do have the keys) are not running.

The reason you cannot set the keys is because it would also allow you to set the keys the same as another machine, and thus play media that is authorized onl

Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft
Trust... worthy... computing at Microsoft... Isn't there a law that prohibits the words trustworthy and Microsoft in the same sentence?

I do not think it's forbidden, but it comes very close to the definition of Oxymoron, [wikipedia.org] i.e. mutually contradictory terms.

Well, wouldn't a former Microsoft executive be in the best position to know how fucked up Microsoft security really is? You'd think this would be a case of the burned hand learning best, in this case, the burned hand is also the one who turned on the fire.

Well, alright, I'm blowing smoke and I know it.:) Odds are this guy has so much stock in Microsoft and their affiliates that it doesn't matter what he personally believes, his wallet will be speaking for him. Obama is turning out to be fairly disappoi

this guy doesn't seem a half way bad pick. of course if it was my call i'd eliminate the whole DHS nonense and just fund the FBI,NSA,CIA and police properly. if those 4 agencies can't get it done wtf is the DHS going to add?

The DHS is the over-arching agency containing the previously separate agencies you listed above.

Prior to the creation of the DHS, communication between agencies like the CIA and FBI was legally difficult because of the lack of transparency. But now that they are under the same umbrella agency, they can share information much more easily.

Ummm....the CIA and the FBI are not under the same agency now. The FBI is an agency of the Department of Justice and the CIA is an independent agency that quasi-reports to the Director of National Intelligence.
The other agencies mentioned, the NSA and the police, are also not part of DHS. NSA is an agency of the Department of Defense and policing is a local function, run by any number of local agencies.
But by all means, keep talking about things you obviously don't know anything about and cannot be bo

How about the Department of Miscommunication. The basic problem, it seems to me, is that miscommunication is spread out over the entire government structure. Now if we were to centralize it into a D. of MC., then all the other departments could rely on that sole department to implement their miscommunication and they would be left to do their jobs in peace.

It wouldn't do to have the other departments communicate with the new D. of MC. (the obvious paradox, eh). Instead, there would be D. of MC. staffers in

If we could achieve with nuclear fusion what we have achieved with DHS, we'd all be living off of cheap and reliable energy.

Suffice to say, the DHS is rather self-sustaining. If it isn't keeping liquids off aircraft or your electronics in the baggage handlers' pockets, its harassing and keeping us American citizens in fear.

Suffice to say, the DHS is rather self-sustaining. If it isn't keeping liquids off aircraft or your electronics in the baggage handlers' pockets, its harassing and keeping us American citizens in fear.

Fear them? Why? Because they stand at every gateway in their suits shouting 'YOUR PAPERS!!' with a nazi accent before frisking you and sending you away to some internment camp in a foreign nation where they cant be prosecuted for waterboarding you?

this guy doesn't seem a half way bad pick. of course if it was my call i'd eliminate the whole DHS nonense and just fund the FBI,NSA,CIA and police properly. if those 4 agencies can't get it done wtf is the DHS going to add?

DHS adds funding for the Coast Guard. Before the DHS nonsense, the CG was within the Department of Transportation. Not really enough money in the pot for the CG to keep a modern fleet and perform all of it's various rolls.

I wonder if we will be seeing US-CERT standing up to Microsoft the way they did with this [us-cert.gov] (a vector for conficker) with him in charge.

I have a sick feeling about this. This guy was surely part of the Microsoft effort to call this a feature. And what was this "political infighting" that the article alludes to? I hope it wasn't over whether to go after Microsoft for aiding in the creation of the largest botnet to date.

While anecdotes from Windows users regarding how they tried to make an inherently insecure system secure could be extremely valuable, I doubt that anecdotes about how Microsoft executives tried to make their systems secure will be equally valuable. This was a ridiculous choice, and further undermines my initial hope that Obama might indeed turn out to be a good President.

The choice of an executive officer of a major supplier of operating systems -- Windows of all things -- to this position sends a clear message to those who have been involved in "security" issues for many years. And that message is: "We don't care about 'security' except to the extent that it affects our corporate friends."

Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.

Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.

Since the fundamental design of Windows security hasn't really changed since Windows NT 3.1, I still want to hear about why it's any more or less "inherently insecure" than other platforms.

For some reason that escapes me at the moment, I have changed my mind and decided to be charitable, and explain some things that should be obvious to the merest idiot:

If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC... other than to unsuccessfully emulate the default security mode in most Linux distros. And, as so many people have reported in painful and repeated detail, the Vista UAC was indeed something that should have be

If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC...

Right. Just like if Linux's "security model" hasn't changed since 1991 there wouldn't be any need for those nice graphical sudo prompts and the like that everyone gets now.

UAC is little more than UI gravy. It's mostly about putting a prettier and more automated face onto "Run As", much like the graphical sudo prompts in OS X and recent Linux distros do. The underlying AC

You completely missed the point. If the UAC did not actually change the security model, then there was no real reason for its existence other than theater. You are merely confirming what others already know: it was a joke masquerading as "security". And if the security model did not really change, then the interface for it really did not need to change.

The fact is that some basic security assumptions needed to change but they did not. The UAC has little to do with that directly but it illustrates the ext

I haven't danced around anything. I did not say that the UAC "might" be security theater, or any of these things you accuse me of.
Here is simple logic, okay? I guess at this level I have to ask: You accept that simple logic is valid? From what you have stated I am not sure.

*IF* the Windows security model hasn't changed, *THEN* the UAC is a joke. Okay? There is no reason for its existence OTHER THAN show.

Get it?

And the presence of such a major "feature" for nothing but show is... well, "stupid" c

I like how this guy, whom I don't know much about, is painted a smart pick, coming as he does from the largest single computer security threat on the planet. Anybody recall that up to not very long ago at all security was not on their agenda? Simply because it made them more money not to care.

Oh, and that is remebering their own words and without mentioning the usual, such as that they are convicted monopolists too, their business practices suck, their code sucks, their customer service and sales techniques reminisces that of office depot, and so on and so forth.

The bottom line is that in politics you usually don't let the guy who fucked it up try and fix it. Unless perhaps the guy has friends in high places.

How do you explain the Congress then? They cannot all have friends in high places. Watch CSpan when they broadcast hearings sometime. It's amazing how clueless these morons can be, especially the House members. For some odd reason, Senators have two brain cells to rub together instead of a single loner.

The president's DHS pick has brought on board a liason from Symantec. Now everything will STILL be insecure, but run twice as slow, cost even MORE "way too much", and bitch, moan and cry about being renewed every year.

If Obama were serious about duty, he would never have become president of the USA. Presidents who want to make a difference are not permitted to do so. A bit more cynically, I would say that presidential candidates who want to make a difference are demonized, like when they said Nader was responsible for the loss of Gore. Did anyone else catch that whole kerfluffle with the ballots in that election? You can't blame the stopping of a completely legal and by-the-book recount on the guy, can you?

Even that was not as blatant as the simple and direct refusal of the media to allow Ron Paul to participate in the more major debates this last election.

People could reasonably (incorrectly, but whatever) interpret that as media bias. Wielding the new and improved Supreme Court to stop a completely legal ballot recount which almost certainly would have reversed the election, on the other hand, could not be construed by an intelligent individual as anything other than direct manipulation of the election system for the purpose of altering the result. When the well-substantiated reports of ballot fraud started coming in and they universally targeted primarily-

I believe Jane was referring to the no-holds-barred media blackout of Ron Paul coverage in the MSM. I completely empathize as I feel that if he were allowed to participate in a few of the bigger debates he would have DESTROYED Obama, McCain, and Clinton.
-Oz

I thought it was like preaching to the converted. Why bother? They're not the ones who need to be convinced.

Yes, MS is evil. Yes, I won't work on MS systems (well, not past MSWind98) due to issues with the EULA. This isn't news, and most of Slashdot agrees, so why post about it? (Well, actually, most people on Slashdot have different major issues, but most of use have severe ones.)